Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with third-party applications. The connector for RSA Authentication Manager is used to integrate Oracle Identity Manager with RSA Authentication Manager.
This chapter contains the following sections:
Note:
In this guide, the term Oracle Identity Manager server refers to the computer on which Oracle Identity Manager is installed.At some places in this guide, RSA Authentication Manager has been referred to as the target system.
Table 1-1 lists the certified components for this connector.
Table 1-1 Certified Components
Item | Requirement |
---|---|
You can use one of the following releases of Oracle Identity Manager:
The connector does not support Oracle Identity Manager running on Oracle Application Server. For detailed information about certified components of Oracle Identity Manager, see the certification matrix on Oracle Technology Network at
|
|
The target system can be any one of the following:
|
|
JDK |
The JDK version can be one of the following:
|
Other systems |
RSA SecurID software token application See Also: The "Installing Software Tokens" section for more information about the RSA SecurID software token |
The connector supports the following languages:
Arabic
Chinese (Simplified)
Chinese (Traditional)
Danish
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish
See Also:
For information about supported special charactersFor Oracle Identity Manager release from 9.0.1 through 9.0.3.2 and release 9.1.0.x, see Oracle Identity Manager Globalization Guide.
For Oracle Identity Manager release 11.1.1, see Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Reconciliation involves duplicating in Oracle Identity Manager additions of and modifications to user accounts on the target system. It is an automated process initiated by a scheduled task that you configure.
See Also:
One of the following guides for conceptual information about reconciliation configurations:For Oracle Identity Manager release from 9.0.1 through 9.0.3.2 and release 9.1.0.x, see Oracle Identity Manager Connector Concepts Guide.
For Oracle Identity Manager release 11.1.1, see Oracle Fusion Middleware User's Guide for Oracle Identity Manager.
This section discusses the following topics:
The following target system fields are reconciled:
Default Login
First Name
Last Name
Temporary User
Start Date
Start Time
End Date
End Time
Group Name
Group Login
Key Value
Data Value
Token Serial Number
Type of Token
The following target system fields are reconciled only if trusted source reconciliation is implemented:
User ID
First Name
Last Name
Employee Type
User Type
Organization
The following are features related to the reconciliation of multivalue attribute groups:
Group names that include the names of sites are entered in the group_name@domain_name
format. In Oracle Identity Manager 9.0.3, you can choose not to include the domain name while creating or updating the name of a group. Similarly, regardless of whether or not the name of a group in the target system includes a domain name, it is reconciled in Oracle Identity Manager.
Note:
The term "domain name" in the Oracle Identity Manager context is the same as "site name" in RSA Authentication Manager.When a user is deleted from a group in ACE, the group is also deleted from the user's ACE process child table.
Provisioning involves creating or modifying a user's account information on the target system through Oracle Identity Manager. You use the Administrative and User Console to perform provisioning operations.
See Also:
One of the following guides for conceptual information about provisioning:For Oracle Identity Manager release from 9.0.1 through 9.0.3.2 and release 9.1.0.x, see Oracle Identity Manager Connector Concepts Guide.
For Oracle Identity Manager release 11.1.1, see Oracle Fusion Middleware User's Guide for Oracle Identity Manager.
For this target system, provisioning is divided into the following types:
In this provisioning type, you can specify values for the following fields:
Default Login
First Name
Last Name
Temporary User
Start Date
Start Time
End Date
End Time
Group Login
Group Name
Key Value
Data Value
In this provisioning type, you can specify values for the following fields:
Token Serial Number
PIN
Current Token Code
Lifetime (hours)
Number of Digits
Type of Token
Copy Protection Flag
Password
Password Usage and Interpretation Method
Software Token File Name
Encryption Key Type
Type of Algorithm
The following table lists the functions that are available with this connector.
Function | Description |
---|---|
Create User | Creates a user |
Update User | Updates the identity attributes of a provisioned user |
Delete User | Deletes a user
This function would not run if the user to be deleted is an administrator. |
Enable Token | Enables a disabled token |
Disable Token | Disables an existing token |
Assign SecurID Tokens to Users | Assigns a token to a user
While assigning a software token to the user, the Type of Algorithm field must be filled in the process form.
|
Revoke SecurID Tokens from Users | Revokes a token from a user |
Assign Users to RSA Authentication Manager Groups | Assigns a user to a group
You must ensure that the following prerequisites are met before you use this function:
|
Remove Users from RSA Authentication Manager Groups | Removes a user from a group
You must ensure that the following prerequisites are met before you use this function:
|
Set Token PIN | Updates the configuration of a token according to a change in the PIN attribute |
Set PIN to Next Token Code Mode | Sets the PIN to the next token code mode in RSA Authentication Manager |
Track Lost Tokens | Updates the configuration of a token according to a change in the Track Lost attribute |
Test Login | Verifies the login for a new user to whom a token has been assigned
You must ensure that the following prerequisites are met before you use this function:
For software token types, you must enter the passcode, instead of the token code, in the Current Token Code field in the process form. The passcode can be viewed by using the software token application, which is installed on the Oracle Identity Manager server. See Also: The "Installing Software Tokens" section for more information |
Add key-data pairs to user extension data | Adds a key-data pair to user extension data
Before you use this function, you must ensure that the following prerequisite is met: User must not have user extension data with the same key before provisioning to the target system. |
Update key-data pairs in user extension data | Update a key-data pair in user extension data
Before you use this function, you must ensure that the following prerequisites are met:
|
Delete key-data pairs from user extension data | Delete a key-data pair user extension data
Before you use this function, you must ensure that the following prerequisite is met: User must have user extension data with the same key value before provisioning to the target system. |
The files and directories that comprise this connector are listed and described in Table 1-2.
Table 1-2 Files and Directories On the Installation Media
File in the Installation Media Directory | Description |
---|---|
Files in the |
These XML files specify the information to be submitted by the requester during a request-based provisioning operation. |
lib/xliACE.jar |
This JAR file contains the class files required for provisioning. During connector installation, this file is copied to the following location:
|
lib/xliACERecon.jar |
This JAR file contains the class files required for reconciliation. During connector installation, this file is copied to the following location:
|
remotePackage/config/xl.policy |
This file contains the security configuration that is required for the RMI server codebase for running calls on RSA Authentication Manager for reconciliation. |
remotePackage/lib/ACE52/ACEUser.dll |
This file contains the shared library that is required to support provisioning in RSA ACE Server 5.2. |
remotePackage/lib/ACE52Sol/libACEUser.so |
This file contains the shared library that is required to support provisioning in RSA Authentication Manager. |
remotePackage/lib/AuthMgr60/ACEUser.dll |
This file contains the shared library that is required to support provisioning in RSA Authentication Manager 6.0. |
remotePackage/lib/AuthMgr61/ACEUser.dll |
This file contains the shared library that is required to support provisioning in RSA Authentication Manager 6.1, on Microsoft Windows. |
remotePackage/lib/xliACERemote.jar |
This file contains the Java classes that are required for provisioning to RSA Authentication Manager and reconciliation from RSA Authentication Manager to Oracle Identity Manager. |
remotePackage/scripts/AuthMgrImportXLCert.bat |
This file contains the script for importing the required security certificate into the remote manager keystore ( |
remotePackage/scripts/AuthMgrImportXLCert.sh |
This file contains the script for importing the required security certificate into the remote manager keystore ( |
remotePackage/tests/config/xl.policy |
This file contains the security configuration required for the RMI server codebase to run test calls on RSA Authentication Manager. |
remotePackage/tests/lib/xliACETestServer.jar |
This file contains the Java classes that are required to run the RMI server for running test calls on RSA Authentication Manager. |
remotePackage/tests/scripts/runTestServer.bat |
This file contains the script that is required to run the RMI server for running test calls on RSA Authentication Manager. |
remotePackage/tests/scripts/runTestServer.sh |
This file contains the script that is required to run the RMI server for running test calls on RSA Authentication Manager, on Solaris. |
Files in the |
Each of these resource bundles contains language-specific information that is used by the connector. During connector installation, these resource bundles are copied to the following location:
Note: A resource bundle is a file containing localized versions of the text strings that are displayed on the Administrative and User Console. These text strings include GUI element labels and messages. |
scripts/AuthMgrImportRMCert.bat |
This file contains the script for importing the required security certificate in the Oracle Identity Manager server keystore ( |
scripts/AuthMgrImportRMCert.sh |
This file contains the script for importing the required security certificate in the Oracle Identity Manager server keystore ( |
tests/config/config.properties |
This file contains the properties required by the RMI client for running test calls from the Oracle Identity Manager server. |
tests/lib/xliACETestClient.jar |
This file contains the Java classes required to run the RMI client for running test calls from the Oracle Identity Manager server. |
tests/scripts/runTestClient.bat |
This file contains the script required to run the RMI client for running test calls from the Oracle Identity Manager Server, for Microsoft Windows. |
tests/scripts/runTestClient.sh |
This file contains the script required to run the RMI client for running test calls from the Oracle Identity Manager Server, for Solaris. |
xml/RSAAuthManagerResourceObject.xml |
This file contains definitions for the following ACE User and ACE Token components of the connector:
|
xml/RSAAuthManagerXLResourceObject.xml |
This file contains configuration parameters for the Xellerate User. You must import this file only if you plan to use the connector in trusted source reconciliation mode. |
Note:
The files in thetests
directory are used only to run tests on the connector.The "Copying Connector Files" section provides instructions to copy these files into the required directories.
Note:
If you are using Oracle Identity Manager release 9.0.1 through release 9.0.3.2 and release 9.1.0.x, then the procedure described in this section is optional.If you are using Oracle Identity Manager release 11.1.1, then skip this section.
You might have a deployment of an earlier release of the connector. While deploying the latest release, you might want to know the release number of the earlier release. To determine the release number of the connector that has already been deployed:
Extract the contents of the xliACE.jar
file. This file is in the following directory on the installation media:
Security Applications/RSA Authentication Manager
Open the manifest.mf
file in a text editor. The manifest.mf
file is one of the files bundled inside the xliACE.jar
file.
In the manifest.mf
file, the release number of the connector is displayed as the value of the Version
property.